Hi Bill, Yes, you can create a host certificate for any hostname, like this:
grid-cert-request -host hpsstst01e.ucar.edu It looks like you've already got a hpsstst01e.ucar.edu certificate installed. It seems the problem is the hpsstst01i.ucar.edu "expected name" which is who the client thinks it's connecting to. If you're passing hpsstst01e.ucar.edu on the globus-url-copy command-line, then somehow that's being converted to hpsstst01i.ucar.edu by the resolver. Check /etc/hosts and /etc/resolv.conf. Also check that hpsstst01e.ucar.edu resolves via DNS in both directions. I see: $ host hpsstst01e.ucar.edu hpsstst01e.ucar.edu has address 128.117.12.53 $ host 128.117.12.53 Host 53.12.117.128.in-addr.arpa. not found: 3(NXDOMAIN) The missing DNS entry for 128.117.12.53 could be a problem. GSI by default will do a reverse DNS lookup to find the "canonical" hostname. There's lots more details at: http://dev.globus.org/wiki/C_Security:_Server_Identity_Processing_In_GSI_C http://bugzilla.mcs.anl.gov/globus/show_bug.cgi?id=6331 At those URLs you can find details on how the GSI hostname processing can support wildcards, check subjectAltNames, and disable DNS lookups via the GLOBUS_GSSAPI_NAME_COMPATIBILITY environment variable. -Jim On 2/9/10 11:14 AM, Bill Anderson wrote: > > > > Hi there, > > I have a host with multiple IP addresses and I'd like to use > globus-url-copy to connect to one of those addresses. However, the > address I want to use does not correspond to the hostname for the > host that shows up with 'uname -a'. I've created a host > certificate for the hostname that does correspond to the IP > address I'm trying to connect to, but I continue to get error > messages like: > > 530-globus_gsi_gssapi: Authorization denied: The name of the remote host > (hpsstst01e.ucar.edu), and the expected name for the remote host > (hpsstst01i.ucar.edu) do not match. This happens when the name in the host > certificate does not match the information obtained from DNS and is often a > DNS configuration problem. > 530 End. > > I'm trying to connect to hpsstst01e.ucar.edu via globus-url-copy, > but the hostname that's reported by 'uname -a' is 'hpsstst01i.ucar.edu". > > My host certificate is shown below. > > Is is possible to create a host certificate for a host where there > may be differences between the hostname used in connecting to the server > and the name reported by 'uname'? > > Thanks for any help, > > Bill > > > Certificate: > Data: > Version: 3 (0x2) > Serial Number: 4 (0x4) > Signature Algorithm: md5WithRSAEncryption > Issuer: O=Grid, OU=GlobusTest, OU=simpleCA-hpsstst01i.ucar.edu, > CN=Globus Simple CA > Validity > Not Before: Feb 9 17:03:12 2010 GMT > Not After : Feb 9 17:03:12 2011 GMT > Subject: O=Grid, OU=GlobusTest, OU=simpleCA-hpsstst01i.ucar.edu, > CN=host/hpsstst01e.ucar.edu > Subject Public Key Info: > Public Key Algorithm: rsaEncryption > RSA Public Key: (1024 bit) > Modulus (1024 bit): > 00:ab:df:67:42:80:e2:2f:ee:e9:0b:f8:e1:46:15: > e1:4d:0d:66:66:c0:1c:a7:90:28:25:42:e6:ed:ab: > 33:e4:a5:fc:73:1a:2c:cd:3a:90:dd:c1:5b:a9:fa: > 2a:75:40:89:e4:09:f1:b7:ab:fa:08:f8:6c:a5:3b: > f6:74:dd:3d:5f:62:90:23:47:46:5f:5a:38:e4:5c: > c1:53:87:97:74:96:39:db:11:4d:11:56:09:68:30: > 95:a0:d9:c0:ca:70:d2:e6:95:14:1d:a2:b2:e8:2a: > 5a:50:34:b0:26:68:01:7f:d5:58:cb:08:0f:b3:ad: > 2c:f0:10:f5:6e:1a:2f:06:31 > Exponent: 65537 (0x10001) > X509v3 extensions: > Netscape Cert Type: > SSL Client, SSL Server, S/MIME, Object Signing > Signature Algorithm: md5WithRSAEncryption > 52:b7:3a:d3:55:17:3f:54:50:46:18:3d:e7:e3:dc:ff:20:b5: > 05:d3:30:11:6a:7c:b6:ae:ab:22:64:b7:07:5b:67:63:6c:13: > 95:ec:f3:3d:bd:82:ee:1d:32:fc:67:ed:eb:57:c3:40:f5:8e: > 4b:1b:39:d4:68:ca:33:e8:cb:30:b3:fb:c9:ff:bb:6f:db:8e: > cb:bd:ae:63:81:dd:f9:79:95:9f:91:c4:65:2e:74:0a:65:44: > f9:70:12:8a:d9:5e:ea:2c:84:02:19:48:48:10:93:b9:4a:9d: > 71:3f:75:e6:ff:e0:2a:3b:16:aa:39:9d:79:ac:e0:ef:bf:1a: > 1d:52 > > ..... >
